[Snort-users] Snort SACK Option DoS clarifications
roesch at ...1935...
Mon Sep 12 19:27:18 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
FYI, here are a few points about this issue.
1) It's a DoS if you're running in verbose mode. If you're running
Snort as a NIDS you shouldn't be running in verbose mode as it will
torpedo your performance, this has been known for over 6 years now.
If you're running in sniffer mode and someone DoS's you, go grab
log.c from CVS, recompile and you're fine.
2) This is a NULL pointer dereference, so it won't turn into more
than a DoS.
3) The guy who released the advisory for this relatively minor issue
decided to do so without coordination with the Snort project or
Sourcefire, even though we asked him to wait so we could coordinate.
Rolling out a Snort release is a complex series of events and we have
several other bug fixes that we're putting together for 2.4.1 (check
out CVS if you want to see the fixes) plus docs and so on that need
to go in there.
Fact of the matter is that this guy decided that responsible
disclosure wasn't necessary in this case and then decided to make a
big deal out of it (high risk my ass). Whatever. We'll get 2.4.1
out as soon as we can and that'll be that.
If anyone has any questions or comments feel free to drop me a mail.
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users